Amazon SCS-C02 Exam Practice Test Instant Access

Question 1

An AWS account includes two S3 buckets: bucketl and bucket2. The bucket2 does not have a policy defined, but bucketl has the following bucket policy:

In addition, the same account has an 1AM User named "alice", with the following 1AM policy.

Which buckets can user "alice" access?

Abucketl only

Bbucket2 only

CBoth bucketl and bucket2

DNeither bucketl nor bucket2

Answer : C

Question 2

A company uses Amazon Cognito for external user authentication for a web application. External users report that they can no longer log in to the application. What is the FIRST step that a security engineer should take to troubleshoot the problem?

AReview AWS CloudTrail togs to identify authentication errors that relate to Cognito users.

BUse AWS Identity and Access Management Access Analyzer to delete all unused 1AM roles and users

CReview any recent changes in Cognito configuration, 1AM policies, and role trust policies to identify issues.

DWrite a script that uses CLI commands to reset all user passwords in the Cognito user pool.

Answer : C

Question 3

A company runs a global ecommerce website that is hosted on AWS. The company uses Amazon CtoudFront to serve content to its user base. The company wants to block inbound traffic from a specific set of countries to comply with recent data regulation policies.

Which solution will meet these requirements MOST cost-eftectively?

ACreate an AWS WAF web ACL with an IP match condition to deny the countries' IP ranges. Associate the web ACL with the CloudFront distribution.

BCreate an AWS WAF web ACL with a geo match condition to deny the specific countries. Associate the web ACL with the CloudFront distribution.

CUse the geo restriction feature in CloudFront to deny the specific countries.

DUse geolocation headers in CloudFront to deny the specific countries.

Answer : C

Question 4

A company has configured a gateway VPC endpoint in a VPC. Only Amazon EC2 instances that reside in a single subnet in the VPC can use the endpoint The company has modified the route table for this single subnet to route traffic to Amazon S3 through the gateway VPC endpoint. The VPC provides internet access through an internet gateway.

A security engineer attempts to use instance profile credentials from an EC2 instance to retrieve an object from the S3 bucket, but the attempt fails. The security engineer verifies that the EC2 instance has an 1AM instance profile with the correct permissions to access the S3 bucket and to retrieve objects. The security engineer also verifies that the S3 bucket policy is allowing access properly. Additionally, the security engineer verifies that the EC2 instance's security group and the subnet's network ACLs allow the communication.

What else should the security engineer check to determine why the request from the EC2 instance is failing?

AVerify that the EC2 instance's security group does not have an implicit inbound deny rule for Amazon S3.

BVerify that the VPC endpoint's security group does not have an explicit inbound deny rule for the EC2 instance.

CVerify that the internet gateway is allowing traffic to Amazon S3.

DVerify that the VPC endpoint policy is allowing access to Amazon S3.

Answer : D

Question 5

Amazon CtoudWatch Logs agent is successfully delivering logs lo the CloudWatch Logs service. However, logs stop being delivered after the associated log stream has been active for a specific number of hours.

What steps are necessary to identify the cause of this phenomenon? (Select TWO.)

AEnsure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified

BVerify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

CConfigure an Amazon Kinesis producer to first put the logs into Amazon Kinesis Streams.

DCreate a CloudWatch Logs metric to isolate a value that changes at least once during the period before logging stops.

EUse AWS CloudFormation to dynamically create and maintain the configuration file for the CloudWatch Logs agent.

Answer : A, B

Question 6

A company is running workloads on AWS. The workloads are in separate AWS accounts for development, testing, and production. All the company's developers can access the development account. A subset of the developers can access the testing account and the production account.

The company is spending too much time managing individual credentials for every developer across every environment. A security engineer must implement a more scalable solution that the company can use when a developer needs different access. The solution must allow developers to access resources across multiple accounts. The solution also must minimize credential sharing.

Which solution will meet these requirements?

AUse AWS Identity and Access Management Access Analyzer to identity the permissions that the developers need on each account. Configure 1AM Access Analyzer to automatically provision the correct access for each developer.

BCreate an Amazon Simple Workflow Service (Amazon SWF) workflow. Instruct the developers to use the workflow to request access to other accounts when additional access is necessary.

CCreate I AM roles in the testing account and production account. Add a policy that allows the sts:AssumeRole action to the roles. Create 1AM roles in the development account for the developers who have access to the testing and production accounts. Add these roles to the trust policy on the new roles in the testing and production accounts.

DCreate service accounts in the testing environment and production environment. Give the access keys for the service accounts to developers who require access to the testing account and the production account. Rotate the access keys for the service accounts periodically.

Answer : C

Question 7

A security engineer is investigating a malware infection that has spread across a set of Amazon EC2 instances. A key indicator of the compromise is outbound traffic on TCP port 2905 to a set of command and control hosts on the internet.

The security engineer creates a network ACL rule that denies the identified outbound traffic. The security engineer applies the network ACL rule to the subnet of the EC2 instances. The security engineer must identify any EC2 instances that are trying to communtcate on TCP port 2905.

Which solution will identify the affected EC2 instances with the LEAST operational effort?

ACreate a Network Access Scope in Amazon VPC Network Access Analyzer. Use the Network Access Scope to identify EC2 instances that try to send traffic to TCP port 2905.

BEnable VPC flow logs for the VPC where the affected EC2 instances are located Configure the flow logs to capture rejected traffic. In the flow logs, search for REJECT records that have a destination TCP port of 2905.

CEnable Amazon GuardDuty Create a custom GuardDuty IP list to create a finding when an EC2 instance tries to communicate with one of the command and control hosts. Use Amazon Detective to identify the EC2 instances that initiate the communication.

DCreate a firewall in AWS Network Firewall. Attach the firewall to the subnet of the EC2 instances. Create a custom rule to identify and log traffic from the firewall on TCP port 2905. Create an Amazon CloudWatch Logs metric filter to identify firewall logs that reference traffic on TCP port 2905.

Answer : B

Amazon SCS-C02 AWS Certified Security - Specialty Exam Practice Test